Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Empty settings page for users with custom role having the manage_options capability #544

Open
2 tasks done
rvdsteege opened this issue Apr 3, 2024 · 0 comments · May be fixed by #546
Open
2 tasks done

Empty settings page for users with custom role having the manage_options capability #544

rvdsteege opened this issue Apr 3, 2024 · 0 comments · May be fixed by #546

Comments

@rvdsteege
Copy link

Confirmation

  • My issue isn't already found on the issue tracker.
  • I have replicated my issue using the latest version of the plugin and it is still present.

WordPress version

6.4.3

Cloudflare-WordPress version

4.12.6

PHP version

7.4.33

Expected result

A user with a custom role which has the manage_options capability, being able to purge the cache through the Settings → Cloudflare page.

Actual result

When clicking the "Cloudflare" admin menu item, an empty page is displayed and CONFIG_FETCH_ERROR and ZONES_FETCH_ERRORS errors occur in the console.

Steps to reproduce

  1. Create a user with custom role, having the manage_options capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)
  2. Visit Settings → Cloudflare

Additional factoids

It appears that the changes from #529 are causing the issues (released in version 4.12.3). The "Cloudflare" admin menu item requires the manage_options capability and the WordPress AJAX action cloudflare_proxy — which seems needed to load the settings page — is checking for the administrator role.

Cloudflare-WordPress/src/WordPress/Hooks.php

Lines 82 to 87 in dd13e15

public function cloudflareConfigPage()
{
if (function_exists('add_options_page')) {
add_options_page(__('Cloudflare Configuration'), __('Cloudflare'), 'manage_options', 'cloudflare', array($this, 'cloudflareIndexPage'));
}
}

Cloudflare-WordPress/src/WordPress/Proxy.php

Lines 56 to 60 in dd13e15

public function run()
{
if (!$this->wordpressAPI->isCurrentUserAdministrator()) {
return;
}

It might be better to check against the manage_options capability in the proxy too, so both will be checking the same requirement to access the settings page.

Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using current_user_can() is discouraged:

While checking against particular roles in place of a capability is supported in part, this practice is discouraged as it may produce unreliable results.

Cloudflare-WordPress/src/WordPress/WordPressAPI.php

Lines 159 to 165 in dd13e15

/**
* @return boolean
*/
public function isCurrentUserAdministrator()
{
return $this->wordPressWrapper->currentUserCan('administrator');
}

Cloudflare-WordPress/src/WordPress/WordPressWrapper.php

Lines 39 to 42 in 58db13b

public function currentUserCan($capabilities)
{
return current_user_can($capabilities);
}

References

#529
rvdsteege added a commit to rvdsteege/Cloudflare-WordPress that referenced this issue Jul 29, 2024
@rvdsteege
Update WordPressAPI.php
4a42874 
Fix empty settings page for users with `manage_options` capability (cloudflare#544).
rvdsteege added a commit to rvdsteege/Cloudflare-WordPress that referenced this issue Jul 29, 2024
@rvdsteege
Fix empty settings page for users with manage_options capability an…
2ab6bb4 
…d no administrator role (cloudflare#544).
@rvdsteege rvdsteege linked a pull request Jul 29, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@rvdsteege